Removable storage devices such as USB Flash Disks (UFD), Secure Digital (SD) disks, and the like are small form factor devices that are easily portable and can have significant storage capacity. While their portability and large storage capacity provide significant advantages to users for transferring data, these same attributes present a significant security challenge for companies, laboratories and other organizations. The small size, large storage capacity and ease of use of such devices could allow unsupervised visitors or unscrupulous employees to smuggle confidential data out of an organization with little chance of detection. Moreover, computer systems are vulnerable to attack by malicious software introduced into the system from removable devices.
In view of these concerns, despite the clear advantages provided by removable storage devices, many organizations are taking steps to prevent their usage. Some organizations forbid all manner of removable storage device usage. Some organizations configure computers, one at a time, to disconnect or otherwise disable the ports within which removable storage devices are received. Other organizations have gone so far as to plug the removable storage device ports with epoxy or the like.
It would be advantageous for IT administrators to be able to control the use of and access by removable storage devices on a network-wide basis. At present, Window® based operating systems employ a group policy framework. Group policy is an infrastructure where one or more desired configurations or policy settings may be set at a single domain controller and then applied to one or more groups of users and/or computers across a network. Group policy employs a collection of settings, referred to as group policy objects (“GPO”), that define what one or more client computers will look like and how it will behave for one or more defined group of users. In addition to allowing disparate privileges to different user groups, group policy also allows software installations, updates and changes to be applied across an entire network of computers via a simple change to an existing GPO. This reduces the administrative burden and costs associated with managing these resources.
Group policy is currently used to manage and control software features available on a given computer or available to a given user. A wide variety of software attributes and functions may be controlled via group policy including security policy, scripts for logon/logoff, start up and shut down, and Internet Explorer settings. Removable storage devices have not conventionally been controlled through group policy. While it is known to be able to inhibit the operation of a class of removable storage devices, such as for example disabling the CD/DVD drives through the I/O manager in the Windows® operating system, no system is known to the inventor for selectively applying access rights to each device on a given client computer.
By the same token, the installation of unique class identifier devices, removable or otherwise, presents similar security risks. A unique class identifier device is a generic term for a device which identifies itself as belonging to a set of devices with specific functionality, where the unique class identifier may not already be known to the operating system. A custom GUID (global unique identifier) is one example of a unique class identifier. When a vendor develops a previously unknown device for use on or with a Windows® operating system computing device, the vendor generates a unique class identifier for that device. The Windows® operating system includes a tool—guidgen.exe—for generating unique class identifiers for new devices. Over time, as the device becomes more common, the unique class identifier may be identified to the Windows® operating system (either as a snap-in to an existing version, or written into a new version). At that time, the GUID device class for that device becomes known, or standard. As one example, Windows Portable Devices (“WPDs”), including portable media players, digital still cameras and mobile phones were assigned a unique class identifier in older versions of the Windows® operating system. However, in Windows Vista™ operating system, WPDs have been identified to the operating system and now WPDs are considered a standard device class.
Once the device class for a device is known, group policy may be set for that device. However, conventionally, there are no mechanisms for setting group policy for unique class identifier devices. Consequently, until a device class GUID is identified to the operating system and becomes known, there is no way to restrict usage of or access to such devices using group policy.